Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

Created on ‎08-06-2014 06:20 AM

VRRP issue

Hi guys, I (my customer) have an issue with VRRP which we beleive is a bug, we have tried fortios 5.0.7, 5.0.8 and 5.2.0. We have configured VRRP on a couple of VLANs on two FG100D and when we do a failover with vrdst it works the first time from Master to Backup, but when the master with a higher priority is up again it fails to go back (we can see that the firewall reacts through debug messages but it does not change the the role to Master). And yes, preempt is enabled. Its a very simple config but it does not work as we expect it to work. Has anyone noticed this or could try this in their lab? Thanks.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
9729
0 Kudos
8 REPLIES 8
Warren_Olson_FTNT
Staff
Staff

Created on ‎08-06-2014 02:17 PM

If you have set preempt and modified the priority on master that should be all you need to do to ensure master takes back over when it returns online. I would open a support ticket to make sure it' s being tracked or at least officially explained.
3004
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎08-07-2014 01:14 AM

We have, but no qualified help so far. Thought I ask the forum while waiting.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3004
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎08-07-2014 02:35 AM

Selective Is prempt enabled on both devices? I had the same problem as what you' re seeing b4 and it was due to me enabling prempt on one device only and one interface. I never got the issue resolved btw and curious as to what you do. Please follow up in this thread if you get it working

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3004
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎08-07-2014 08:18 AM

Hi, Yes, we have enabled preempt on both devices, but still it won' t fail back. Its a shame it wont' t work, this customer is a very large company that builds cars in Sweden and they bought a couple of firewalls to have them in a Ocean Race around the globe, the solution relies on VRRP and it just wont work. But I' ll post my fĩndings when I have them.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3004
0 Kudos
Warren_Olson_FTNT
Staff
Staff

Created on ‎08-07-2014 04:48 PM

Selective, Please be sure to make support aware of the urgency and don' t be afraid to request a higher tier since it sounds like this is urgent.
3004
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎08-08-2014 12:57 AM

Yes we are trying. The race starts in October and if its not fixed in September they will have to take them out and rebuild their solution. Not the best first encounter with Fortigates.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3004
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎08-12-2014 07:48 AM

FWIW I tested this under 4.0 MR3 p18 and it works. I didn' t have time to setup vrdst but just swapping priorities on the cisco gateway show the fortigate pre-empt and revert. Both devices had preemption enable. Adv interval was set at 1secs for both devices cisco ! interface GigabitEthernet0/0.500 encapsulation dot1Q 500 ip vrf forwarding vrrp ip address 1.0.0.10 255.255.255.0 vrrp 10 ip 1.0.0.1 vrrp 10 preempt delay minimum 3 vrrp 10 priority 2 end and fortigate; config system interface edit " wan2" set vdom " root" set ip 1.0.0.11 255.255.255.0 set type physical config vrrp edit 10 set priority 90 set vrip 1.0.0.1 next end next end And selective that email I sent show wan2 in the debug and the port cfg was actually wan2 and not port5. So ignore port5 and replace with wan2. My cable was a little bit too short so I moved it at that last minute and reconfigured fwiw ; I don' t have anything none production that I can test under 5.x but ( cisco revert to backup fgt 1.0.0.11 is now master ) Aug 12 14:19:55.340: VRRP: Grp 10 Event - Advert higher or equal priority Aug 12 14:19:55 UTC: %VRRP-6-STATECHANGE: Gi0/0.500 Grp 10 state Master -> Backup Aug 12 14:19:56.340: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:19:56.340: VRRP: Grp 10 Event - Advert higher or equal priority Aug 12 14:19:57.348: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:19:57.348: VRRP: Grp 10 Event - Advert higher or equal priority Aug 12 14:19:58.340: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:19:58.340: VRRP: Grp 10 Event - Advert higher or equal priority Aug 12 14:19:59.340: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:19:59.340: VRRP: Grp 10 Event - Advert higher or equal priority Aug 12 14:20:00.344: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:20:00.344: VRRP: Grp 10 Event - Advert higher or equal priority Aug 12 14:20:01.340: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:20:01.340: VRRP: Grp 10 Event - Advert higher or equal priorityte Aug 12 14:20:02.340: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:20:02.340: VRRP: Grp 10 Event - Advert higher or equal priorityrm mon Aug 12 14:20:03.340: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:20:03.340: VRRP: Grp 10 Event - Advert higher or equal priorityo Aug 12 14:20:04.340: VRRP: Grp 10 Advertisement priority 122, ipaddr 1.0.0.11 Aug 12 14:20:04.340: VRRP: Grp 10 Event - Advert higher or equal priorityn mon rlan#show vrrp interface gi 0/0.500 GigabitEthernet0/0.500 - Group 10 State is Backup Virtual IP address is 1.0.0.1 Virtual MAC address is 0000.5e00.010a Advertisement interval is 1.000 sec Preemption enabled, delay min 3 secs Priority is 100 Master Router is 1.0.0.11, priority is 122 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 3.173 sec) and debug app on fgt [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 0 [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) and [vrrp_vrt_adv_timer_func:1082]: wan2, vrid 10, vrip 1.0.0.1, (1043->1043) [vrrpd_loop:1454]: ret 1 [vrrp_packet_proc:1425]: wan2, 10 0x01000001, 2 134 [vrrp_vrt_leave_master:995]: wan2, vrid 10, vrip 1.0.0.1, (122 1 1) [vrrp_vrt_goto_backup:1066]: wan2, vrid 10, vrip 1.0.0.1, (122 1 1) [vrrpd_loop:1454]: ret 1 [vrrp_packet_proc:1425]: wan2, 10 0x01000001, 1 134 [vrrpd_loop:1454]: ret 1 [vrrp_packet_proc:1425]: wan2, 10 0x01000001, 1 134 [vrrpd_loop:1454]: ret 1 [vrrp_packet_proc:1425]: wan2, 10 0x01000001, 1 134 [vrrpd_loop:1454]: ret 1 [vrrp_packet_proc:1425]: wan2, 10 0x01000001, 1 134 [vrrpd_loop:1454]: ret 1 [vrrp_packet_proc:1425]: wan2, 10 0x01000001, 1 134 [vrrpd_loop:1454]: ret 1 [vrrp_packet_proc:1425]: wan2, 10 0x01000001, 1 134 [vrrpd_loop:1454]: ret 1 [vrrp_packet_proc:1425]: wan2, 10 0x01000001, 1 134

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3004
0 Kudos
ggntt
Contributor

Created on ‎01-12-2015 09:40 AM

Hi there

 

We have 2 x 60D's running 5.2.2 with VRRP enabled.

We are also having issues.

 

Basically some of the end user devices end up routing out over the standby device.  

It seems that the standby device does not know the primary device is online, yet other end user devices are going out over the primary device.

 

Any ideas ? 

3004
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.